diff --git a/LIBVIRT_README.md b/LIBVIRT_README.md new file mode 100644 index 0000000..8240618 --- /dev/null +++ b/LIBVIRT_README.md @@ -0,0 +1,55 @@ +# Detection Lab Libvirt build + +## Intro + +This page contains the instruction to build DetectionLab for Qemu/LibVirt. This is the provider for you *if*: +* You are familiar with LibVirt, virt-manager and Qemu and prefer this software stack instead of VirtualBox +* You are willing to spend a bit more time thinkering with the build process as it is less hands-off than the official DetectionLab + +A [step-by-step guide is available here](https://selorasec.wordpress.com/2019/12/03/ad-in-a-box-for-pocs-and-iocs-on-the-cheap-detectionlab-on-libvirt/#Setting_Up_Vagrant). + +## Prequisite +### LibVirt + +The `libvirt` and `virt-manager` installation walkthrough and documentation is out of scope of this project. To follow along, you need an already working installation of `libvirt`, `virt-manager`, and `QEMU+kvm`. + +### Packer + +1. The [Virtio drivers](https://docs.fedoraproject.org/en-US/quick-docs/creating-windows-virtual-machines-using-virtio-drivers/) ISO needs to be location in the `DetectionLab/Packer/` directory. + +* This is a direct [link to the latest version of the virtio drivers ISO](https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso). +* There's also a "stable" version available [here](https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso). + +2. Edit the windows_X.json files +* Make sure the following user-defined variables are pointing to the right thing: + * `virtio_win_iso` : The ISO containing thethe lastest VirtIO drivers + * `packer_build_dir` : Where to output the QCOW2 images. It's a temporary directory, the .box files will still be in DetectionLab/Packer + +3. Build the images +``` +env TMPDIR=/path/to/large/storage/ PACKER_LOG=1 PACKER_LOG_PATH="packer_build.log" packer build --only=qemu windows_2016.json +env TMPDIR=/path/to/large/storage/ PACKER_LOG=1 PACKER_LOG_PATH="packer_build.log" packer build --only=qemu windows_10.json +``` + +### Vagrant +1. Install the necessary plugins: +* `vagrant plugin install vagrant-reload vagrant-libvirt vagrant-winrm-syncedfolders` +* See the guide for ubuntu as the vagrant packages comes with a ton on unofficial & outdated plugins that will cause problems +2. Add the previously built windows .box files +* `vagrant box add windows_10_libvirt.box --name windows_10_libvirt` +* `vagrant box add windows_2016_libvirt.box --name windows_2016_libvirt` +3. Build: `vagrant up --provider libvirt --no-parallel --provision` + +#### Notes: +The libvirt builder is highly experimental. This sections describes the tradeoffs and the differences between the vanilla DetectionLab. + +- No pre-built images and integration with the build.sh script for now. This means building the Windows base boxes with Packer (> 1h) and provisioning with Vagrant manually (> 1h). Fortunately, the process is relatively straightforward. +- The boxes will have two network adapters +The vagrant-libvirt provider works by binding to a "management" network adapter IP addresses. The way vagrant finds the VM's IP address is by probing the dnsmasq lease file of libvirt's host. There's probably a better way, but this is the best I could do that just works (tm) so far. Here's what the configuration looks like: + +* Management Network: Isolated network, no NAT, no internet access, with DHCP. +* Detectionlab Network: 192.168.38.0/24, with NAT, with internet access, with DHCP. + +- The synced folder is using an old, slow and buggy plugin. While this barely works, it's enough to push the provisioning scripts to the Windows instances. Any modifications to the `vm.synced_folder` in the VagrantFile libvirt provider will likely break the provisionning process + +- The graphical and input settings assume the use of virt-manager with the SPICE viewer on Windows and the VNC viewer on Linux (logger). The spice agent for copy/pasting and other quality of life improvement, like auto-resolution changes is *NOT* installed on the Windows hosts. *Guacamole* is a better way to access your VMs. diff --git a/Packer/answer_files/10_virtio/Autounattend.xml b/Packer/answer_files/10_virtio/Autounattend.xml new file mode 100755 index 0000000..6d9add4 --- /dev/null +++ b/Packer/answer_files/10_virtio/Autounattend.xml @@ -0,0 +1,275 @@ + + + + + + + + E:\viostor\w10\amd64 + + + E:\vioscsi\w10\amd64 + + + E:\NetKVM\w10\amd64 + + + E:\Baloon\w10\amd64 + + + E:\pvpanic\w10\amd64 + + + E:\qxldod\w10\amd64 + + + + + + + + + + 1 + Primary + true + + + + + false + NTFS + C + 1 + 1 + + + + 0 + true + + OnError + + + true + Vagrant + Vagrant + + + + + NPPR9-FWDCX-D2C8J-H872K-2YT43 + Never + + + + + + 0 + 1 + + OnError + false + + + /IMAGE/NAME + Windows 10 Enterprise Evaluation + + + + + + + + en-US + + en-US + en-US + en-US + en-US + en-US + + + + + false + + + + + en-US + en-US + en-US + en-US + + + + + vagrant + true</PlainText> + </AdministratorPassword> + <LocalAccounts> + <LocalAccount wcm:action="add"> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Description>Vagrant User</Description> + <DisplayName>vagrant</DisplayName> + <Group>administrators</Group> + <Name>vagrant</Name> + </LocalAccount> + </LocalAccounts> + </UserAccounts> + <OOBE> + <HideEULAPage>true</HideEULAPage> + <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> + <NetworkLocation>Home</NetworkLocation> + <ProtectYourPC>1</ProtectYourPC> + </OOBE> + <AutoLogon> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Username>vagrant</Username> + <Enabled>true</Enabled> + </AutoLogon> + <FirstLogonCommands> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 64 Bit</Description> + <Order>1</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>C:\Windows\SysWOW64\cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 32 Bit</Description> + <Order>2</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c reg add "HKLM\System\CurrentControlSet\Control\Network\NewNetworkWindowOff"</CommandLine> + <Description>Network prompt</Description> + <Order>3</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\fixnetwork.ps1</CommandLine> + <Description>Fix public network</Description> + <Order>4</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\disable-winrm.ps1</CommandLine> + <Description>Disable WinRM</Description> + <Order>5</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v HideFileExt /t REG_DWORD /d 0 /f</CommandLine> + <Order>6</Order> + <Description>Show file extensions in Explorer</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\Console /v QuickEdit /t REG_DWORD /d 1 /f</CommandLine> + <Order>7</Order> + <Description>Enable QuickEdit mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v Start_ShowRun /t REG_DWORD /d 1 /f</CommandLine> + <Order>8</Order> + <Description>Show Run command in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v StartMenuAdminTools /t REG_DWORD /d 1 /f</CommandLine> + <Order>9</Order> + <Description>Show Administrative Tools in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateFileSizePercent /t REG_DWORD /d 0 /f</CommandLine> + <Order>10</Order> + <Description>Zero Hibernation File</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateEnabled /t REG_DWORD /d 0 /f</CommandLine> + <Order>11</Order> + <Description>Disable Hibernation Mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c wmic useraccount where "name='vagrant'" set PasswordExpires=FALSE</CommandLine> + <Order>12</Order> + <Description>Disable password expiration for vagrant user</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d "vagrant" /f</CommandLine> + <Order>13</Order> + <Description>Enable AutoLogon</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f</CommandLine> + <Order>14</Order> + <Description>Enable AutoLogon</Description> + </SynchronousCommand> + <!-- WITHOUT WINDOWS UPDATES --> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\enable-winrm.ps1</CommandLine> + <Description>Enable WinRM</Description> + <Order>99</Order> + </SynchronousCommand> + <!-- END WITHOUT WINDOWS UPDATES --> + <!-- WITH WINDOWS UPDATES --> + <!-- + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c a:\microsoft-updates.bat</CommandLine> + <Order>98</Order> + <Description>Enable Microsoft Updates</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\disable-screensaver.ps1</CommandLine> + <Description>Disable Screensaver</Description> + <Order>99</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\win-updates.ps1</CommandLine> + <Description>Install Windows Updates</Description> + <Order>100</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + --> + <!-- END WITH WINDOWS UPDATES --> + </FirstLogonCommands> + <ShowWindowsLive>false</ShowWindowsLive> + </component> + </settings> + <settings pass="specialize"> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <OEMInformation> + <HelpCustomized>false</HelpCustomized> + </OEMInformation> + <!-- Rename computer here. --> + <ComputerName>vagrant-10</ComputerName> + <TimeZone>Pacific Standard Time</TimeZone> + <RegisteredOwner/> + </component> + <component xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS"> + <SkipAutoActivation>true</SkipAutoActivation> + </component> + <component name="Security-Malware-Windows-Defender" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <DisableAntiSpyware>true</DisableAntiSpyware> + </component> + </settings> + <cpi:offlineImage xmlns:cpi="urn:schemas-microsoft-com:cpi" cpi:source="catalog:d:/sources/install_windows 7 ENTERPRISE.clg"/> +</unattend> diff --git a/Packer/answer_files/2016_virtio/Autounattend.xml b/Packer/answer_files/2016_virtio/Autounattend.xml new file mode 100755 index 0000000..1152963 --- /dev/null +++ b/Packer/answer_files/2016_virtio/Autounattend.xml @@ -0,0 +1,271 @@ +<?xml version="1.0" encoding="utf-8"?> +<unattend xmlns="urn:schemas-microsoft-com:unattend"> + <settings pass="windowsPE"> + <component name="Microsoft-Windows-PnpCustomizationsWinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <DriverPaths> + <PathAndCredentials wcm:keyValue="1" wcm:action="add"> + <Path>E:\viostor\2k16\amd64</Path> + </PathAndCredentials> + <PathAndCredentials wcm:keyValue="2" wcm:action="add"> + <Path>E:\vioscsi\2k16\amd64</Path> + </PathAndCredentials> + <PathAndCredentials wcm:keyValue="3" wcm:action="add"> + <Path>E:\NetKVM\2k16\amd64</Path> + </PathAndCredentials> + <PathAndCredentials wcm:keyValue="4" wcm:action="add"> + <Path>E:\Baloon\2k16\amd64</Path> + </PathAndCredentials> + <PathAndCredentials wcm:keyValue="5" wcm:action="add"> + <Path>E:\pvpanic\2k16\amd64</Path> + </PathAndCredentials> + <PathAndCredentials wcm:keyValue="6" wcm:action="add"> + <Path>E:\qxldod\2k16\amd64</Path> + </PathAndCredentials> + </DriverPaths> + + </component> + <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <SetupUILanguage> + <UILanguage>en-US</UILanguage> + </SetupUILanguage> + <InputLocale>en-US</InputLocale> + <SystemLocale>en-US</SystemLocale> + <UILanguage>en-US</UILanguage> + <UILanguageFallback>en-US</UILanguageFallback> + <UserLocale>en-US</UserLocale> + </component> + <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <DiskConfiguration> + <Disk wcm:action="add"> + <CreatePartitions> + <CreatePartition wcm:action="add"> + <Type>Primary</Type> + <Order>1</Order> + <Size>350</Size> + </CreatePartition> + <CreatePartition wcm:action="add"> + <Order>2</Order> + <Type>Primary</Type> + <Extend>true</Extend> + </CreatePartition> + </CreatePartitions> + <ModifyPartitions> + <ModifyPartition wcm:action="add"> + <Active>true</Active> + <Format>NTFS</Format> + <Label>boot</Label> + <Order>1</Order> + <PartitionID>1</PartitionID> + </ModifyPartition> + <ModifyPartition wcm:action="add"> + <Format>NTFS</Format> + <Label>Windows 2016</Label> + <Letter>C</Letter> + <Order>2</Order> + <PartitionID>2</PartitionID> + </ModifyPartition> + </ModifyPartitions> + <DiskID>0</DiskID> + <WillWipeDisk>true</WillWipeDisk> + </Disk> + </DiskConfiguration> + <ImageInstall> + <OSImage> + <InstallFrom> + <MetaData wcm:action="add"> + <Key>/IMAGE/NAME</Key> + <Value>Windows Server 2016 SERVERSTANDARD</Value> + </MetaData> + </InstallFrom> + <InstallTo> + <DiskID>0</DiskID> + <PartitionID>2</PartitionID> + </InstallTo> + </OSImage> + </ImageInstall> + <UserData> + <!-- Product Key from https://www.microsoft.com/de-de/evalcenter/evaluate-windows-server-technical-preview?i=1 --> + <ProductKey> + <!-- Do not uncomment the Key element if you are using trial ISOs --> + <!-- You must uncomment the Key element (and optionally insert your own key) if you are using retail or volume license ISOs --> + <!-- <Key>6XBNX-4JQGW-QX6QG-74P76-72V67</Key> --> + <WillShowUI>OnError</WillShowUI> + </ProductKey> + <AcceptEula>true</AcceptEula> + <FullName>Vagrant</FullName> + <Organization>Vagrant</Organization> + </UserData> + </component> + </settings> + <settings pass="specialize"> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <OEMInformation> + <HelpCustomized>false</HelpCustomized> + </OEMInformation> + <ComputerName>vagrant-2016</ComputerName> + <TimeZone>Pacific Standard Time</TimeZone> + <RegisteredOwner/> + </component> + <component name="Microsoft-Windows-ServerManager-SvrMgrNc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <DoNotOpenServerManagerAtLogon>true</DoNotOpenServerManagerAtLogon> + </component> + <component name="Microsoft-Windows-IE-ESC" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <IEHardenAdmin>false</IEHardenAdmin> + <IEHardenUser>false</IEHardenUser> + </component> + <component name="Microsoft-Windows-OutOfBoxExperience" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <DoNotOpenInitialConfigurationTasksAtLogon>true</DoNotOpenInitialConfigurationTasksAtLogon> + </component> + <component name="Microsoft-Windows-Security-SPP-UX" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <SkipAutoActivation>true</SkipAutoActivation> + </component> + <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <RunSynchronous> + <RunSynchronousCommand wcm:action="add"> + <Order>1</Order> + <Description>Set Execution Policy 64 Bit</Description> + <Path>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</Path> + </RunSynchronousCommand> + <RunSynchronousCommand wcm:action="add"> + <Order>2</Order> + <Description>Set Execution Policy 32 Bit</Description> + <Path>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</Path> + </RunSynchronousCommand> + <RunSynchronousCommand wcm:action="add"> + <Order>3</Order> + <Description>Disable WinRM</Description> + <Path>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\disable-winrm.ps1</Path> + </RunSynchronousCommand> + </RunSynchronous> + </component> + </settings> + <settings pass="oobeSystem"> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <AutoLogon> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Enabled>true</Enabled> + <Username>vagrant</Username> + </AutoLogon> + <FirstLogonCommands> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 64 Bit</Description> + <Order>1</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>C:\Windows\SysWOW64\cmd.exe /c powershell -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force"</CommandLine> + <Description>Set Execution Policy 32 Bit</Description> + <Order>2</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\disable-winrm.ps1</CommandLine> + <Description>Disable WinRM</Description> + <Order>3</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v HideFileExt /t REG_DWORD /d 0 /f</CommandLine> + <Order>4</Order> + <Description>Show file extensions in Explorer</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\Console /v QuickEdit /t REG_DWORD /d 1 /f</CommandLine> + <Order>5</Order> + <Description>Enable QuickEdit mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v Start_ShowRun /t REG_DWORD /d 1 /f</CommandLine> + <Order>6</Order> + <Description>Show Run command in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v StartMenuAdminTools /t REG_DWORD /d 1 /f</CommandLine> + <Order>7</Order> + <Description>Show Administrative Tools in Start Menu</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateFileSizePercent /t REG_DWORD /d 0 /f</CommandLine> + <Order>8</Order> + <Description>Zero Hibernation File</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>%SystemRoot%\System32\reg.exe ADD HKLM\SYSTEM\CurrentControlSet\Control\Power\ /v HibernateEnabled /t REG_DWORD /d 0 /f</CommandLine> + <Order>9</Order> + <Description>Disable Hibernation Mode</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c wmic useraccount where "name='vagrant'" set PasswordExpires=FALSE</CommandLine> + <Order>10</Order> + <Description>Disable password expiration for vagrant user</Description> + </SynchronousCommand> + <!-- WITHOUT WINDOWS UPDATES --> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\enable-winrm.ps1</CommandLine> + <Description>Enable WinRM</Description> + <Order>99</Order> + </SynchronousCommand> + <!-- END WITHOUT WINDOWS UPDATES --> + <!-- WITH WINDOWS UPDATES --> + <!-- + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c a:\microsoft-updates.bat</CommandLine> + <Order>98</Order> + <Description>Enable Microsoft Updates</Description> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\disable-screensaver.ps1</CommandLine> + <Description>Disable Screensaver</Description> + <Order>99</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + <SynchronousCommand wcm:action="add"> + <CommandLine>cmd.exe /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File a:\win-updates.ps1</CommandLine> + <Description>Install Windows Updates</Description> + <Order>100</Order> + <RequiresUserInput>true</RequiresUserInput> + </SynchronousCommand> + --> + <!-- END WITH WINDOWS UPDATES --> + </FirstLogonCommands> + <OOBE> + <HideEULAPage>true</HideEULAPage> + <HideLocalAccountScreen>true</HideLocalAccountScreen> + <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen> + <HideOnlineAccountScreens>true</HideOnlineAccountScreens> + <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> + <NetworkLocation>Home</NetworkLocation> + <ProtectYourPC>1</ProtectYourPC> + </OOBE> + <UserAccounts> + <AdministratorPassword> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </AdministratorPassword> + <LocalAccounts> + <LocalAccount wcm:action="add"> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Group>administrators</Group> + <DisplayName>Vagrant</DisplayName> + <Name>vagrant</Name> + <Description>Vagrant User</Description> + </LocalAccount> + </LocalAccounts> + </UserAccounts> + <RegisteredOwner /> + </component> + </settings> + <settings pass="offlineServicing"> + <component name="Microsoft-Windows-LUA-Settings" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <EnableLUA>false</EnableLUA> + </component> + </settings> + <cpi:offlineImage cpi:source="wim:c:/wim/install.wim#Windows Server 2012 R2 SERVERSTANDARD" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> +</unattend> diff --git a/Packer/answer_files/2016_virtio/Autounattend_sysprep.xml b/Packer/answer_files/2016_virtio/Autounattend_sysprep.xml new file mode 100755 index 0000000..cb538aa --- /dev/null +++ b/Packer/answer_files/2016_virtio/Autounattend_sysprep.xml @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="utf-8"?> +<unattend xmlns="urn:schemas-microsoft-com:unattend"> + <settings pass="generalize"> + <component name="Microsoft-Windows-Security-SPP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <SkipRearm>0</SkipRearm> + </component> + <component name="Microsoft-Windows-PnpSysprep" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <PersistAllDeviceInstalls>false</PersistAllDeviceInstalls> + <DoNotCleanUpNonPresentDevices>false</DoNotCleanUpNonPresentDevices> + </component> + </settings> + <settings pass="oobeSystem"> + <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <InputLocale>en-US</InputLocale> + <SystemLocale>en-US</SystemLocale> + <UILanguage>en-US</UILanguage> + <UserLocale>en-US</UserLocale> + </component> + <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> + <OOBE> + <HideEULAPage>true</HideEULAPage> + <ProtectYourPC>1</ProtectYourPC> + <NetworkLocation>Home</NetworkLocation> + <HideWirelessSetupInOOBE>true</HideWirelessSetupInOOBE> + </OOBE> + <TimeZone>UTC</TimeZone> + <UserAccounts> + <AdministratorPassword> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </AdministratorPassword> + <LocalAccounts> + <LocalAccount wcm:action="add"> + <Password> + <Value>vagrant</Value> + <PlainText>true</PlainText> + </Password> + <Group>administrators</Group> + <DisplayName>Vagrant</DisplayName> + <Name>vagrant</Name> + <Description>Vagrant User</Description> + </LocalAccount> + </LocalAccounts> + </UserAccounts> + </component> + </settings> + <settings pass="specialize"> + </settings> +</unattend> diff --git a/Packer/windows_10.json b/Packer/windows_10.json index 524fd07..ef72bbb 100644 --- a/Packer/windows_10.json +++ b/Packer/windows_10.json @@ -1,5 +1,49 @@ { "builders": [ + { + "type": "qemu", + "vm_name":"windows_10", + "communicator": "winrm", + "iso_url": "{{user `iso_url`}}", + "iso_checksum_type": "{{user `iso_checksum_type`}}", + "iso_checksum": "{{user `iso_checksum`}}", + "headless": true, + "boot_wait": "6m", + "boot_command": "", + "winrm_username": "vagrant", + "winrm_password": "vagrant", + "winrm_timeout": "4h", + "shutdown_timeout": "2h", + "shutdown_command": "a:/sysprep.bat", + + "accelerator": "kvm", + "disk_size": "{{user `disk_size`}}", + + "output_directory": "{{ user `packer_build_dir`}}", + + "qemuargs": [ + [ "-m", "2048"], + [ "-smp", "2"], + [ "-drive", "file={{ user `virtio_win_iso` }},media=cdrom,index=3" ], + [ "-drive", "file={{ user `packer_build_dir`}}/{{ .Name }},if=virtio,cache=writeback,discard=ignore,format=qcow2,index=1" ] + ], + + "floppy_files": [ + "{{user `autounattend_virtio`}}", + "./floppy/WindowsPowershell.lnk", + "./floppy/PinTo10.exe", + "./scripts/fixnetwork.ps1", + "./scripts/rearm-windows.ps1", + "./scripts/disable-screensaver.ps1", + "./scripts/disable-winrm.ps1", + "./scripts/enable-winrm.ps1", + "./scripts/microsoft-updates.bat", + "./scripts/win-updates.ps1", + "./scripts/unattend.xml", + "./scripts/sysprep.bat" + ] + + }, { "type": "vmware-iso", "vm_name":"windows_10", @@ -141,6 +185,11 @@ "iso_checksum_type": "sha256", "iso_url": "https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso", "autounattend": "./answer_files/10/Autounattend.xml", - "disk_size": "61440" + "disk_size": "61440", + "virtio_win_iso": "./virtio-win.iso", + "autounattend_virtio": "./answer_files/10_virtio/Autounattend.xml", + "packer_build_dir": "/media/packer_build_dir/win10" + } +} } } diff --git a/Packer/windows_2016.json b/Packer/windows_2016.json index 967f465..5592854 100644 --- a/Packer/windows_2016.json +++ b/Packer/windows_2016.json @@ -1,5 +1,48 @@ { "builders": [ + { + "type": "qemu", + "vm_name":"windows_10", + "communicator": "winrm", + "iso_url": "{{user `iso_url`}}", + "iso_checksum_type": "{{user `iso_checksum_type`}}", + "iso_checksum": "{{user `iso_checksum`}}", + "headless": false, + "boot_wait": "6m", + "boot_command": "", + "winrm_username": "vagrant", + "winrm_password": "vagrant", + "winrm_timeout": "4h", + "shutdown_command": "shutdown /s /t 10 /f /d p:4:1 /c \"Packer Shutdown\"", + + "cpus": "2", + "memory": "2048", + "accelerator": "kvm", + "disk_size": "{{user `disk_size`}}", + + "output_directory": "{{ user `packer_build_dir`}}", + + "qemuargs": [ + [ "-drive", "file={{ user `virtio_win_iso` }},media=cdrom,index=3" ], + [ "-drive", "file={{ user `packer_build_dir`}}/{{ .Name }},if=virtio,cache=writeback,discard=ignore,format=qcow2,index=1" ] + ], + + "floppy_files": [ + "{{user `autounattend_virtio`}}", + "./floppy/WindowsPowershell.lnk", + "./floppy/PinTo10.exe", + "./scripts/fixnetwork.ps1", + "./scripts/MakeWindows10GreatAgain.ps1", + "./scripts/MakeWindows10GreatAgain.reg", + "./scripts/rearm-windows.ps1", + "./scripts/disable-screensaver.ps1", + "./scripts/disable-winrm.ps1", + "./scripts/enable-winrm.ps1", + "./scripts/microsoft-updates.bat", + "./scripts/win-updates.ps1" + ] + + }, { "vm_name":"WindowsServer2016", "type": "vmware-iso", diff --git a/Terraform/locals.tf b/Terraform/locals.tf index f2b5fd1..380edb7 100644 --- a/Terraform/locals.tf +++ b/Terraform/locals.tf @@ -4,4 +4,3 @@ locals { ata_url = "https://${aws_instance.wef.public_ip}" guacamole_url = "http://${aws_instance.logger.public_ip}:8080/guacamole" } - diff --git a/Vagrant/Vagrantfile b/Vagrant/Vagrantfile index b63a906..cce7dc4 100644 --- a/Vagrant/Vagrantfile +++ b/Vagrant/Vagrantfile @@ -1,7 +1,26 @@ +libvirt_win10_box = "../Boxes/windows_10_libvirt.box" +libvirt_win2016_box = "../Boxes/windows_2016_libvirt.box" + Vagrant.configure("2") do |config| + config.vm.provider "libvirt" do |libvirt| + # This is required for Vagrant to properly configure the network interfaces. + # See libvirt's README section for more information + + libvirt.management_network_name = "VagrantMgmt" + libvirt.management_network_address = "192.168.123.0/24" + libvirt.management_network_mode = "none" + + libvirt.cpu_mode = "host-passthrough" + + # Which storage pool path to use. Default to /var/lib/libvirt/images or ~/.local/share/libvirt/images depending on if you are running a system or user QEMU/KVM session. + #libvirt.storage_pool_path = '/media/storage_nvme/system_session_vm_pool' + libvirt.storage_pool_name = 'default' + end + config.vm.define "logger" do |cfg| - cfg.vm.box = "bento/ubuntu-18.04" + cfg.vm.box = "generic/ubuntu1604" + cfg.vm.hostname = "logger" cfg.vm.provision :shell, path: "bootstrap.sh" cfg.vm.network :private_network, ip: "192.168.38.105", gateway: "192.168.38.1", dns: "8.8.8.8" @@ -24,6 +43,17 @@ Vagrant.configure("2") do |config| vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"] vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] end + + cfg.vm.provider "libvirt" do |lv, override| + lv.graphics_type = "vnc" + lv.video_type = "vga" + lv.input :type => "tablet", :bus => "usb" + lv.video_vram = 32768 + lv.memory = 4096 + lv.cpus = 2 + + override.vm.synced_folder './', '/vagrant', type: 'rsync' + end end config.vm.define "dc" do |cfg| @@ -35,9 +65,10 @@ Vagrant.configure("2") do |config| cfg.winrm.basic_auth_only = true cfg.winrm.timeout = 300 cfg.winrm.retry_limit = 20 - cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1" + cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1", dns: "8.8.8.8" - cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.102" + # Added DNS here because libvirt fails to properly configure the windows client otherwise... :( + cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: true, args: "-ip 192.168.38.102 -dns 8.8.8.8 -gateway 192.168.38.1" cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "reload" cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false @@ -77,6 +108,26 @@ Vagrant.configure("2") do |config| vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"] vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] end + + cfg.vm.provider "libvirt" do |lv, override| + lv.graphics_type = "spice" + lv.video_type = "qxl" + lv.input :type => "tablet", :bus => "usb" + + override.vm.box = libvirt_win2016_box + lv.video_vram = 32768 + lv.memory = 3072 + lv.cpus = 2 + # This is NOT the right semantic for Vagrant synced folder. It's a dirty hack around : + # https://github.com/Cimpress-MCP/vagrant-winrm-syncedfolders/issues/11 + # If dest is /vagrant, it'll upload in C:\vagrant\Vagrant.... + # It's like 'cp /my/dir /my/dir2' vs 'cp /my/dir /my/dir2/' + # + # The Winrm synced folder plugin is also excruciatingly slow. Would gladly replace with something else + # that works with linux host and windows guest... + + override.vm.synced_folder '.', '/', type: 'winrm' + end end config.vm.define "wef" do |cfg| @@ -89,7 +140,7 @@ Vagrant.configure("2") do |config| cfg.winrm.retry_limit = 20 cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102" - cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.103 -dns 192.168.38.102" + cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: true, args: "-ip 192.168.38.103 -dns 8.8.8.8 -gateway 192.168.38.1" cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "shell", inline: "cscript c:\\windows\\system32\\slmgr.vbs -rearm", privileged: false cfg.vm.provision "reload" @@ -129,6 +180,25 @@ Vagrant.configure("2") do |config| vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"] vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] end + + cfg.vm.provider "libvirt" do |lv, override| + lv.graphics_type = "spice" + lv.video_type = "qxl" + lv.input :type => "tablet", :bus => "usb" + override.vm.box = libvirt_win2016_box + lv.video_vram = 32768 + lv.memory = 2048 + lv.cpus = 2 + # This is NOT the right semantic for Vagrant synced folder. It's a dirty hack around : + # https://github.com/Cimpress-MCP/vagrant-winrm-syncedfolders/issues/11 + # If dest is /vagrant, it'll upload in C:\vagrant\Vagrant.... + # It's like 'cp /my/dir /my/dir2' vs 'cp /my/dir /my/dir2/' + # + # The Winrm synced folder plugin is also excruciatingly slow. Would gladly replace with something else + # that works with linux host and windows guest... + + override.vm.synced_folder '.', '/', type: 'winrm' + end end config.vm.define "win10" do |cfg| @@ -141,7 +211,7 @@ Vagrant.configure("2") do |config| cfg.winrm.retry_limit = 20 cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102" - cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.104 -dns 192.168.38.102" + cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: true, args: "-ip 192.168.38.104 -dns 8.8.8.8 -gateway 192.168.38.1" cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: false cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false cfg.vm.provision "shell", inline: "cscript c:\\windows\\system32\\slmgr.vbs -rearm", privileged: false @@ -178,5 +248,23 @@ Vagrant.configure("2") do |config| vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"] vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ] end + cfg.vm.provider "libvirt" do |lv, override| + lv.graphics_type = "spice" + lv.video_type = "qxl" + lv.input :type => "tablet", :bus => "usb" + override.vm.box = libvirt_win10_box + lv.video_vram = 32768 + lv.memory = 2048 + lv.cpus = 2 + # This is NOT the right semantic for Vagrant synced folder. It's a dirty hack around : + # https://github.com/Cimpress-MCP/vagrant-winrm-syncedfolders/issues/11 + # If dest is /vagrant, it'll upload in C:\vagrant\Vagrant.... + # It's like 'cp /my/dir /my/dir2' vs 'cp /my/dir /my/dir2/' + # + # The Winrm synced folder plugin is also excruciatingly slow. Would gladly replace with something else + # that works with linux host and windows guest... + + override.vm.synced_folder '.', '/', type: 'winrm' + end end end diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh index 906f5a2..e121e8e 100644 --- a/Vagrant/bootstrap.sh +++ b/Vagrant/bootstrap.sh @@ -57,6 +57,11 @@ test_prerequisites() { } fix_eth1_static_ip() { + USING_KVM=$(sudo lsmod | grep kvm) + if [ ! -z "$USING_KVM" ]; then + echo "[*] Using KVM, no need to fix DHCP for eth1 iface" + return 0 + fi # There's a fun issue where dhclient keeps messing with eth1 despite the fact # that eth1 has a static IP set. We workaround this by setting a static DHCP lease. echo -e 'interface "eth1" { diff --git a/Vagrant/scripts/fix-second-network.ps1 b/Vagrant/scripts/fix-second-network.ps1 index 4c199cc..d38f7fe 100755 --- a/Vagrant/scripts/fix-second-network.ps1 +++ b/Vagrant/scripts/fix-second-network.ps1 @@ -1,10 +1,32 @@ # Source: https://github.com/StefanScherer/adfs2 -param ([String] $ip, [String] $dns) +param ([String] $ip, [String] $dns, [String] $gateway) -if (! (Test-Path 'C:\Program Files\VMware\VMware Tools')) { +if ( (Get-NetAdapter | Select-Object -First 1 | Select-Object -ExpandProperty InterfaceDescription).Contains('Red Hat VirtIO')) { + Write-Host "Setting Network Configuration for LibVirt interface" + $subnet = $ip -replace "\.\d+$", "" + $name = (Get-NetIPAddress -AddressFamily IPv4 ` + | Where-Object -FilterScript { ($_.IPAddress).StartsWith("$subnet") } ` + ).InterfaceAlias + if ($name) { + Write-Host "Set IP address to $ip of interface $name" + & netsh.exe int ip set address "$name" static $ip 255.255.255.0 "$gateway" + if ($dns) { + Write-Host "Set DNS server address to $dns of interface $name" + & netsh.exe interface ipv4 add dnsserver "$name" address=$dns index=1 + } + } else { + Write-Error "Could not find a interface with subnet $subnet.xx" + } + + exit 0 +} + +if (! (Test-Path 'C:\Program Files\VMware\VMware Tools') ) { Write-Host "Nothing to do for other providers than VMware." exit 0 } + + Write-Host "$('[{0:HH:mm}]' -f (Get-Date))" Write-Host "Setting IP address and DNS information for the Ethernet1 interface" Write-Host "If this step times out, it's because vagrant is connecting to the VM on the wrong interface"